b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n STATE DISABILITY DETERMINATION\n  SERVICES REMOVAL OF SENSITIVE\n        INFORMATION FROM\n       EXCESSED COMPUTERS\n\n\n    August 2005   A-14-05-15063\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                           SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:   August 4, 2005                                                                    Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: State Disability Determination Services' Removal of Sensitive Information from\n        Excessed Computers (A-14-05-15063)\n\n\n        OBJECTIVE\n        Our objectives were to examine the policies and procedures that the State Disability\n        Determination Services (DDS) follow when excessing computer equipment and to\n        ensure that sensitive information is removed prior to the computer\xe2\x80\x99s disposition.\n\n        BACKGROUND\n\n        In February 2004, we were made aware of audit results from a North Carolina State\n        Auditors1 report in which they had selected a sample of computers that were excessed\n        by a variety of State agencies. The auditors found that the majority of these machines\n        had hard drives that were readable, and data files that were accessible, which included\n        password files and other sensitive information. Some of these computers were from the\n        North Carolina Department of Health and Human Services, which is the parent agency\n        for the North Carolina DDS.\n\n        The Social Security Administration\xe2\x80\x99s (SSA) Office of Federal Disability Determination\n        Services (FDDS) and the 54 DDSs make disability determinations and process disability\n        claims. DDSs use various software applications, known as case processing systems, to\n        develop, review and process disability determinations. These case processing systems\n        run on various hardware platforms,2 which store and process sensitive information. This\n        information includes individual names and addresses, Social Security numbers and\n        medical information of disability claimants.\n\n\n        1\n         The State of North Carolina, Office of the State Auditor, Information Security Assessment:\n        Implementation of Enterprise Security Standard S003, Permanent Removal of Data from Electronic\n        Media, February 2004.\n        2\n            The type of computer on which a given operating system or application runs.\n\x0cPage 2 - The Commissioner\n\n\nWang computers were used by 26 of the DDSs and the FDDS as their hardware\nplatform. Each of these sites has migrated from using Wang computers to IBM iSeries\n(AS/400) computers as their hardware platform, with the exception of Nebraska,\nwhich is in the process of migrating to an SSA-standard server platform. As of\nJanuary 25, 2005, SSA data showed that of the 27 Wang computers, 12 have been\ndisposed of and the remaining 15 are still on-site at the DDSs.\n\nAccording to SSA\xe2\x80\x99s Disability Determination Services Security Document (DSD),3 DDSs\nare required to run the SSA approved Wipe Disk software utility on equipment that was\nused for the storage of sensitive information (servers, laptops, workstations, etc) prior to\nits disposal or donation to another entity. Wipe Disk is a software program that \xe2\x80\x9cwipes\xe2\x80\x9d\nor erases a disk drive of its data by overwriting the entire drive with repetitive\ncharacters, making the data irretrievable.\n\nTo test whether equipment had been properly cleansed of sensitive data prior to its\nbeing excessed, we selected four DDS sites and requested a list of computer\nequipment on-site ready for disposal. Table 1 below shows the equipment selected\nfrom each DDS site for testing.\n\n                                               TABLE 1\n\n\n           DDS Site                 Servers          Laptops        Workstations      Total\n\n\nDistrict of Columbia                    0                0                 10          10\n\n\nNorth Carolina                          0                5                  5          10\n\n\nPennsylvania                            2               12                  7          21\n\n\nDelaware                                0                0                  6          6\n\n\n             Total                      2               17                 28          47\n\n\n\n\n3\n    Disability Determinations Services Security Document (September 2003), page 36.\n\x0cPage 3 - The Commissioner\n\nRESULTS OF REVIEW\n\nData on all servers, laptops and workstations that we forensically tested at the four\nselected sites had been properly removed with the Wipe Disk utility. However, we\nidentified two issues which potentially affect equipment used in a significant number of\nthe DDSs. These issues relate to the limitations of the Wipe Disk utility and its ability to\nremove sensitive data from computer equipment in the DDSs.\n\nFirst, DDSs are potentially excessing Wang computers without ensuring that data is\nirretrievable from the hard drives. The Wipe Disk utility does not work on Wang\ncomputers. Therefore, the Wang computers still on-site at the DDSs are at risk of being\nexcessed with sensitive data intact.\n\nSecond, two of the four selected DDSs had boxes of obsolete server tapes on-site.4\nBecause these tapes were used as server back-ups5 they may contain sensitive\ninformation. Systems personnel at these DDSs informed us that they were storing the\ntapes because they were unaware of any guidance from SSA on how to remove data\nbefore disposal of the tapes.\n\nWang computers are potentially being excessed with sensitive data intact\n\nDDSs are potentially excessing Wang computers without ensuring that data is\nirretrievable from their hard drives. As noted previously in the Background section,\nWang computers were used by 26 of the DDSs and the FDDS. As a result, claimants\xe2\x80\x99\nmedical or personal information, as well as sensitive SSA data is at risk of being\ncompromised. When equipment is taken out of service and prepared for disposal, the\nWipe Disk utility must be used by DDSs to cleanse the hard drive of sensitive\ninformation. Of the four DDSs we selected for testing, two still had their obsolete Wang\ncomputers on-site and the remaining two DDSs did not use Wangs.\n\nAn individual from the Office of Public Service and Operations Support provided\nguidance to the regions via e-mail stating that there is not a utility, such as Wipe Disk,\nthat can be used on the Wang computers. This individual recommended that the\nregions reformat the hard drives to make the data irretrievable. However, reformatting a\nhard drive does not make the information stored irretrievable, as there are software\nutilities that can reformat the data back into its original content. For example, the audit\nreport issued by the North Carolina State Auditors noted that they were able to rebuild\nand gain access on all of the hard drives that had been reformatted prior to their being\nexcessed.6 If the hard drives had been reformatted for any of the previously excessed\nWang computers, these drives may still contain sensitive data.\n\n4\n  The obsolete server tapes retained at the two DDSs were from both Wang and non-Wang equipment.\n5\n  Back-up is the activity of copying files or databases so that they will be preserved in case of equipment\nfailure or other catastrophe.\n6\n  The State of North Carolina, Office of the State Auditor, Information Security Assessment:\nImplementation of Enterprise Security Standard S003, Permanent Removal of Data from Electronic\nMedia, February 2004, page 7.\n\x0cPage 4 - The Commissioner\n\n\nIdeally, the Agency would seek a software utility similar to Wipe Disk to use for the\ndisposition of the Wang computers still on site at the DDSs. However, it appears that\nno such utility exists. Until such time, it is advisable for SSA to instruct the DDSs to\nremove or physically destroy the hard drives prior to the disposal or donation of these\ncomputers to another entity. Once the Agency determines an appropriate method of\nensuring that data is irretrievable from these computers, official guidance should be\ndisseminated to the DDSs.\n\nObsolete server tapes are still being held\n\nTwo of the four selected DDS sites stored old magnetic tapes from obsolete servers.\nThese tapes were used for server back-ups and may contain sensitive information. The\nDSD mandates the use of Wipe Disk on equipment used for data storage such as hard\ndrives, but does not address how to ensure sensitive data is removed from other\nstorage media with which Wipe Disk utility is incompatible. One such storage medium\nwith which Wipe Disk is incompatible is magnetic media tapes.\n\nSSA\xe2\x80\x99s Program Operations Manual System (POMS) requires disposal of any claimant\ndata in such a manner as to make the data irretrievable to unauthorized personnel and\nthat magnetic tapes are to be erased before the tapes are released to other users.7\nHowever, POMS does not address the method for erasing the data. Some methods of\nerasing data will not make it irretrievable to unauthorized personnel. The Wipe Disk\nutility only overwrites the hard drive or drives on a device and does not work on\nmagnetic tapes.\n\nThe DDS systems personnel in these two offices stated they were unaware of SSA\nguidance on how to dispose of these tapes. While the DSD is intended to supplement\nexisting policies and procedures in the POMS, the guidance relevant to systems\nsecurity for DDSs needs to be uniform. The Agency should determine an appropriate\nmethod of ensuring that data is removed from obsolete server tapes and other media.\nOnce determined, the DSD and POMS should be updated to reflect this method. SSA\nalso needs to ensure that DDS employees are aware of the appropriate policy.\n\n\n\n\n7\n    POMS, section DI 39566.080.\n\x0cPage 5 - The Commissioner\n\nCONCLUSIONS AND RECOMMENDATIONS\nThe DSD requires DDSs to run the SSA approved Wipe Disk utility on equipment that\nwas used for the storage of sensitive information prior to its disposal or donation to\nanother entity. Data had been properly removed from all excess servers, laptop and\ndesktop computers that we forensically tested. However, there is not an appropriate\nmethod of ensuring that data is irretrievable from obsolete Wang computers. In\naddition, the DSD does not clearly mandate a method for removing data from other\nstorage media such as server tapes. As a result sensitive information on obsolete\nWang computers and server tapes are at risk.\n\nWe recommend SSA:\n\n1. Direct DDSs either to ensure data is irretrievable or physically remove and destroy\n   the hard drives on computers to be excessed.\n\n2. Modify or update the DSD and POMS to ensure the Agency\xe2\x80\x99s guidance is complete\n   and consistent regarding the proper method of removing data from and disposing of\n   obsolete server tapes.\n\n3. Ensure DDS personnel are aware of the policy and procedures to dispose of any\n   claimant data in such a manner as to make the data irretrievable to unauthorized\n   personnel.\n\nAGENCY COMMENTS\n\nSSA agreed with our recommendations. See Appendix C for the text of SSA\xe2\x80\x99s\ncomments.\n\n\n\n\n                                               S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                             Appendix A\n\nAcronyms\nDDS    Disability Determination Services\nDSD    Disability Determination Services Security Document\nFDDS   Office of Federal Disability Determination Services\nOIG    Office of the Inspector General\nPOMS   Program Operations Manual System\nSSA    Social Security Administration\n\x0c                                                                     Appendix B\n\nScope and Methodology\nOur objectives were to examine the policies and procedures that the State Disability\nDetermination Services (DDS) follow when excessing computer equipment and to\nensure that sensitive information is removed prior to the computer\xe2\x80\x99s disposition.\n\nTo accomplish these objectives, we selected four DDS sites (North Carolina,\nDistrict of Columbia, Pennsylvania and Delaware) and requested a list of computer\nequipment, if any, that they had on-site and were ready for disposal:\n\n      \xe2\x80\xa2   From the District of Columbia equipment list, we selected 10 out of 33 pieces\n          of equipment for testing, and we performed our testing on-site.\n\n      \xe2\x80\xa2   We selected 10 out of 22 pieces of equipment for testing from the\n          North Carolina inventory of surplus equipment. Five of these items were\n          tested on-site. The remaining five were brought back to the Office of the\n          Inspector General\xe2\x80\x99s (OIG) headquarters in Baltimore for testing.\n\n      \xe2\x80\xa2   From the Pennsylvania equipment list, we selected all 21 pieces of equipment\n          for testing, and we performed our testing on-site.\n\n      \xe2\x80\xa2   From the Delaware equipment list, we selected 6 out of 49 pieces of\n          equipment for testing and we requested that the DDS systems personnel\n          remove the hard drives from 6 workstations that were being excessed. These\n          hard drives were then transported back to the OIG headquarters and tested.\n\nTo accomplish our testing we used EnCase\xc2\xae, a forensic software product that enabled\nus to read the contents of the hard drives being tested. We also interviewed DDS\npersonnel as to the policies and procedures they followed for disposing computer\nequipment to verify that they were following Social Security Administration policy. Our\nwork was performed at the selected sites from June 2004 to February 2005 in\nNorth Carolina, District of Columbia, Pennsylvania, Delaware and Maryland. We\nconducted our review in accordance with generally accepted government auditing\nstandards.\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                    SOCIAL SECURITY\nMEMORANDUM\n\n                                                                          34321-24-1358\nDate:   July 15, 2005                                                     Refer To: S1J-3\n\nTo:     Patrick P. O\xe2\x80\x99Carroll, Jr.\n        Inspector General\n\nFrom:   Larry W. Dye /s/\n        Chief of Staff\n\nSubject: Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cState Disability Determination\n        Services\xe2\x80\x99 Removal of Sensitive Information from Excessed Computers\xe2\x80\x9d (Audit No.\n        22005015)\xe2\x80\x94INFORMATION\n\n\n        We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft\n        report are attached.\n\n        Please contact me if you have any questions. Staff questions may be referred to\n        Candace Skurnik, Director of the Audit Management and Liaison Staff, at extension\n        54636.\n\n        Attachment\n\n\n\n\n                                                   C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cSTATE DISABILITY DETERMINATION SERVICES\xe2\x80\x99 REMOVAL OF\nSENSITIVE INFORMATION FROM EXCESSED COMPUTERS\xe2\x80\x9d (A-14-05-15063)\n\nThank you for the opportunity to review and provide comments on this OIG draft report.\nWe agree with the thrust of the report. The Social Security Administration (SSA) has a\nresponsibility to protect our clients\xe2\x80\x99 sensitive data from compromise during the disposal\nprocess, and we take that responsibility very seriously. SSA maintains and enforces\neffective policies and procedures for protecting sensitive data during its disposal. As\nnoted in this OIG report, the data disposal issues at Disability Determination Service\n(DDS) offices are limited in scope. We are working to resolve these issues to ensure\nthat sensitive data is not compromised.\n\nRecommendation 1\n\nDirect DDSs either to ensure data is irretrievable or physically remove and destroy the\nhard drives on computers to be excessed.\n\nComment\n\nWe agree. We are working to develop appropriate methods to ensure that sensitive\ndata is removed from all electronic media prior to its disposal. Until the procedures are\nready, we have instructed the DDSs that have Wang processors and backup tapes not\nto excess them until we are sure the data can be completely destroyed.\n\nThe draft report highlights two problem areas: 1) limitations of the Wipe Disk utility as it\napplies to Wang servers; and 2) DDSs storing obsolete server tapes in lieu of guidance\nfrom SSA on how to dispose of them. SSA is working with a contractor to design an\noptimal process to ensure that sensitive data is eradicated from the Wang proprietary\nhardware prior to its disposal. As noted in the OIG draft report, Nebraska is the only\nState still using a Wang server and they are migrating away from it. Of the 15 Wang\nservers mentioned in the OIG report, 14 are currently out of production and the 15th\nsoon will be.\n\nIn the area of tape disposal, we are working to finalize a proposal that, once\nimplemented, will resolve this issue. In the interim, the DDSs and other SSA offices are\ntemporarily storing tapes until they can be degaussed, rather than risking the\ninadvertent release of sensitive data.\n\n\n\n\n                                             C-2\n\x0cRecommendation 2\n\nModify or update the DDS Security Document (DSD) and Program Operations Manual\nSystem (POMS) to ensure the Agency's guidance is complete and consistent regarding\nthe proper method of removing data from and disposing of obsolete server tapes.\n\nComment\n\nWe agree. The DSD and POMS (subchapter DI 39566.000 DDS\xe2\x80\x99 Privacy and Security)\nwill be updated once we have developed the appropriate methods to ensure that\nsensitive data is removed from all electronic media prior to its disposal including the\ndata from the Wang processors and backup tapes.\n\nRecommendation 3\n\nEnsure DDS personnel are aware of the policy and procedures to dispose of any claimant\ndata in such a manner as to make the data irretrievable to unauthorized personnel.\n\nComment\n\nWe agree. On June 8, 2005, we provided a reminder to SSA regional offices requesting\nthat they instruct the DDSs that have Wang processors and backup tapes not to excess\nthem until we are sure the data can be completely destroyed. Once we have developed\nappropriate methods for ensuring that sensitive data is removed from the subject\nelectronic media prior to its disposal, we will provide any necessary additional reminders\nto SSA regional offices and the DDSs. Currently, the DSD provides instructions to the\nStates regarding disposal of claimant data. We will ensure that the DSD and POMS are\nupdated to include language that the data should be irretrievable to unauthorized\npersonnel.\n\n[In addition to the information listed above, SSA also provided technical comments\nwhich have been addressed, where appropriate, in this report.]\n\n\n\n\n                                           C-3\n\x0c                                                                      Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n   Albert Darago, Acting Director, Data Analysis and Technical Audits Division (410)\n   965-9710\n\n   Phil Rogofsky, Audit Manager, Network Security and Telecommunications Branch\n   (410) 965-9719\n\nAcknowledgments\nIn addition to those named above:\n\n   Greg Thompson, Senior Auditor\n\n   Annette DeRito, Writer/Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-05-15063.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"